commit: 67ee9d7026c6e3887eb590811aa1291682945840
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Oct 12 08:56:22 2014 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Oct 12 08:56:22 2014 +0000
URL:
http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=67ee9d70
Allow setting ownership of ts/ directory
When creating the ts/ directory (in which sudo keeps timestamps), allow
the sudo application to set ownership.
No errors involved (only denial) but the end result is different (group
ownership is different, even though there is no group privilege).
---
policy/modules/admin/sudo.if | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index b282877..58c456b 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -161,6 +161,9 @@ template(`sudo_role_template',`
')
ifdef(`distro_gentoo',`
+ # Set ownership of ts directory (timestamp keeping)
+ allow $1_sudo_t self:capability { chown };
+ # Create /var/run/sudo
auth_pid_filetrans_pam_var_run($1_sudo_t, dir, "sudo")
')
')
